This article provides a high-level "too long; didn't read" (TL;DR) summary of the CMMC program as a way to dip your toes in before diving into the details.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) program will require U.S. Department of Defense (DoD) contractor organizations to achieve certification demonstrating their compliance with baseline cybersecurity controls. Specifically, the CMMC program is concerned with maintaining the confidentiality of controlled unclassified information (“CUI”) to protect sensitive information which could detrimentally impact U.S. national security interests.
In 2010, Executive Order 13556 established a formal definition of CUI and mandated its protection through consistent means across the U.S. federal government. In 2017, the DoD has required companies to self-attest to their compliance with the requirements of NIST SP 800-171. However, this method proved to be insufficient as data breaches involving CUI were common for organizations that self-attested to meeting the requirements. In 2020, the DoD implemented CMMC version 1.0 as an interim rule within the Defense Federal Acquisition Regulation Supplement (“DFARS”).
After receiving feedback from the DIB, the DoD released a revised version of CMMC (2.0) in late 2021, which is the current standard. Due to the complexity of rulemaking within the U.S. federal government and the DoD, the CMMC rule is expected to be finalized in late 2024/early 2025 and enforced within DoD contracts as DFARS 252.204-7021 by October 2025. At that point, DoD contractors will be required to have achieved CMMC compliance and attestation from a Certified Third-Party Assessor Organization (C3PAO) prior to be awarded DoD contracts.
How do I get certified?
The CMMC program establishes three distinct levels of certification. Any organization with access to federal contract information (“FCI”) will be required to self-attest their compliance with CMMC Level 1, which includes 17 controls.
DoD contractors who store, process, or transmit CUI data will be required to undergo validation by a C3PAO to demonstrate compliance with the 110 requirements in NIST Special Publication 800-171 established in CMMC Level 2 every three years.
Finally, organizations with access to certain categories of CUI will require triennial validation by a C3PAO of their compliance with the 130 requirements of CMMC Level 3, as defined in NIST Special Publication 800-172.
For a deeper dive on the CMMC program, its context, and requirements, check out CMMC 101: Intro to Compliance or contact us to find out how Triumvirate Cybersecurity can help you prepare for certification!